GDPR: Lessons Learned

It’s been more than a year since the General Data Protection Regulation (GDPR)went into effect in the EU. While this series of data privacy and protection laws apply to citizens of the EU, any global organization that holds or processes EU resident data is subject to GDPR regulation.

It’s clear that GDPR has and will continue to change the landscape of data protection; many countries and states in the U.S. are expected to follow in the GDPR’s footsteps with similar legislation. If your organization isn’t ready for the added work of becoming GDPR compliant, you might be in for a surprise.

That said, it’s never too late to analyze and improve your data protection strategy. In this article, we’ll take a look at the effects of GDPR so far and offer some tips on how you can up your data protection strategy.

GDPR: A Brief Overview

The GDPR is a comprehensive set of laws approved by the European Union Parliament in 2016, focused on protecting the privacy and personal data of individuals in the EU. The laws took effect on May 25th, 2018 and replace existing data privacy laws to offer consumers greater control over how their personal data is collected and used.

The three main goals of GDPR include the protection of the rights of users in regards to their data, the implementation of laws that keep up with the rapidly changing landscape of technology, and the creation of unified and consistent data regulation across the EU. The laws also dictate how personal data can be used with regards to consent, documentation, access to information, data erasure, data changes, and objections.

The Impact So Far

In the past year, companies and regulators have been hard at work implementing and enforcing GDPR regulations. While pre-GDPR laws allowed individual EU member nations to write and pass their own breach-notification laws, GDPR requires organizations to report data breaches to both the affected individuals and the appropriate regulatory authorities within 72 hours of being discovered. GDPR also calls for the mandatory appointment of a Data Protection Officer (DPO)at every organization that processes or stores personal data for EU citizens.

According to IAPP research on the effects of GDPR so far, approximately 500,000 organizations are estimated to have DPOs. Since May 2018, there have been more than 89,000 data breach notifications resulting in more than £56,000,000 in fees. According to a recent press release from the European Commission, “the new law has become Europe’s regulatory floor that shapes our response in many other areas. From Artificial Intelligence, development of 5G networks to the integrity of our elections, strong data protection rules help to develop our policies and technologies based on people’s trust.”

GDPR has effectively set new standards for the global data protection landscape. European countries not subject to the EU legislation, like Norway, Switzerland, and Iceland, have adopted data compliance regulations almost identical to the GDPR. Similarly, countries in Asia and Africa with close ties to Europe are redesigning their data privacy regulations to more closely resemble that of the EU. The U.S. is also beginning to rethink data rights and protection. In June 2018, California—home to Silicon Valley—passed the California Consumer Privacy Act, which is a bill meant to enhance privacy rights and consumer protection for the residents of that state.

Tips for Compliance in WordPress

If you have customers in the EU, you’ve probably already taken steps to make your WordPress website compliant. However, if you haven’t implemented a data privacy strategy yet, or you’re looking to improve your current state of data protection, here are some tips:

Carry out a dedicated security audit of your website

A security audit is a systematic evaluation of a company’s information system by comparing it to an established set of criteria. A full security audit will help you understand your current policies and strengthen them. There are a number of third-party tools and plugins, including Sucuri Scanner, WordFence, or WP Engine’s Global Edge Security that can help with a comprehensive audit.

Have a procedure in place to notify users of a data breach

GDPR has definitive guidelines regarding the communication of a data breach to users. If your organization collects customer information, offers user accounts, or maintains a cadence of communication through an email newsletter, you need to have a data breach communication strategy in place. The WordPress plugin repository has a number of GDPR compliance plugins that can help with implementing this.

Make sure your cookie policy is up to date

WordPress mainly uses cookies to log in to your website but many websites have cookies scattered throughout the digital experience. The EU Cookie Law requires users’ informed consent before storing cookies on a user’s device and/or tracking them. The cookie policy must indicate the type of cookies installed, detail the purpose of the installation, indicate all third-parties that could install cookies, and be available in all languages in which the services are provided.

Be conscious of data access

A privacy-conscious workflow should include an evaluation of physical access to data. This means being conscious of insecure servers, potential abuse of data by employees and contractors, and unencrypted hardware and peripherals. Organizations need to pay close attention to user roles and only give data access to vetted persons. A huge component of the GDPR is the protection of European data sent to other countries. Any non-European third parties that have access to European data, whether that is a web host, cloud storage, external app, or a business partner, will need to be vetted to make sure that they are safeguarding European data to EU standards.

GDPR Compliance and WP Engine

WP Engine takes the trust our customers place in us when they choose to store personal data on our platform very seriously. Since GDPR’s release in 2018, WP Engine has complied with its requirements, both as a controller of our customers’ account data and a processor of the end-user personal data our customers store on our platform. For more information on GDPR compliance as a WP Engine customer, check out our Terms & Conditions.